Summary: Detecting Backdoors - This week's Nessus plugin feed update includes detection for Poison Ivy, a popular backdoor used by attackers. Poison Ivy allows a remote attacker to control the compromised system, and has mechanisms to jump from process to process. While Anti-Virus products should detect the presence of this software, there is always a chance of gaps. For example, by modifying the Poison Ivy binary, you can change its signature. This means if your Anti-Virus software is out-of-date, an attack will be successful. If a determined attacker, dare I say "APT", were to modify this software to bypass even up-to-date Anti-Virus software, Nessus can be used as a second line of defense in conduction with malicious process detection adding more layers to detection of malware. Greate quote from this article from Fireeye too: "RATs may well be the hacker’s equivalent of training wheels, as they are often regarded in IT security circles. But despite their reputation as a software toy for novice “script kiddies,” RATs remain a linchpin of many sophisticated cyber attacks and are used by numerous threat actors." And this: "Poison Ivy is so widely used that security professionals have a harder time tracing attacks that use the RAT to any particular attacker." Catching Third-Party Software Vulnerabilities - Perhaps one of the toughest challenges for IT today, still, is keeping up with third-party software. Users are going to install software on their own, they find ways (Such as installing virtual machine software). Filling in the gaps nicely is the Passive Vulnerability Scanner. I've been running PVS on my lab network, and witnessed first hand as it flagged a PuTTY vulnerability on one system, and told me that my Flash player was out-of-date on my other system. Third-party vulnerabilities have a tendency to hide, and PVS helps uncovering them in a big way. Interesting how running PVS immediately highlights the fact that my wife never bothers to update the software on the two iPads and one iPhone we have for family use! One Vulnerability Trumps All (Sometimes) - Reading about OSPF vulnerabilities has me worried, especially when the description states: This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic.. Routing protocol attacks, while limited to the local network (unless they refer to BGP) can be particularly damaging. "Intercepting traffic" has a deeper meaning. If an attacker is able to insert themselves into the middle of TCP/IP communications, the possibilities for attack are endless. IT teams must assign a high priority to this type of attack. While some traffic will be encrypted, injection attacks can undermine the encryption. For example, the ability to add any HTML or Javascript to any web site the user visits translates into global XSS vulnerabilities, allowing an attacker to undermine any security controls you may have in place (eventually).
